22 CFR § 126.7 - Exemption for defense trade and cooperation among Australia, the United Kingdom, and the United States.
(a) No license or other approval is required for the export, reexport, retransfer, or temporary import of defense articles, the performance of defense services, or engaging in brokering activities as described in part 129 of this subchapter, between or among authorized users of this exemption, subject to the requirements and limitations in paragraph (b) of this section.
(b) The exemption described in paragraph (a) of this section is subject to the following requirements and limitations:
(1) The activity must be to or within the physical territory of Australia, the United Kingdom, or the United States;
(2) The transferor, recipient, or broker must each be:
(i) U.S. persons registered with the applicable Directorate of Defense Trade Controls (DDTC) registration pursuant to §§ 122.1 and 129.3 of this subchapter, and not debarred under § 127.7 of this subchapter;
(ii) A U.S. Government department or agency; or
(iii) Authorized users identified through the DDTC website and, if engaging in brokering activities, registered with DDTC pursuant to § 129.3 of this subchapter;
(3) The defense article or defense service is not identified in supplement no. 2 to this part as ineligible for transfer under the exemption in paragraph (a) of this section;
(4) The value of the transfer does not exceed the amounts described in § 123.15 of this subchapter and does not involve the manufacturing abroad of significant military equipment as described in § 124.11 of this subchapter; and
(5) Transferors must comply with the requirements of § 123.9(b) of this subchapter.
The exemption in paragraph (a) of this section does not remove other applicable U.S. statutory and regulatory requirements. For example, for U.S. authorized users, transfers of classified defense articles and defense services must still meet the requirements in 32 CFR part 117, National Industrial Security Program Operating Manual (NISPOM), in addition to all other applicable laws. Australian authorized users must, for example, meet the requirements in the Australian Protective Security Policy Framework, including appropriate security risk management for contracted providers. United Kingdom authorized users must, for example, meet the requirements in the Government Functional Standards GovS 007: Security.